Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation

Description

In Materialize through 1.0.0, XSS is possible via the Toast feature.

Recommendation

Update the @materializecss/materialize package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.1.0-alpha
• Patched version(s): 1.1.0-alpha

References

• GHSA-rg3q-jxmp-pvjj
• CVE-2019-11004
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336
• webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
• Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304
• Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service - CVE-2022-35204

Tags:

npm

@materializecss/materialize